The Extensible Authentication Protocol (EAP) is a general Protocol for point-to-point authentication, and can support a variety of authentication methods. The EAP does not specify an authentication method in a link establishment phase, but instead, postpones the process to an authentication phase. Thus, an authentication party can decide which authentication method to use after receiving more information. This mechanism also permits a point-to-point authentication party to simply transparently transmit the received authentication message to a backend authentication server, and the various authentication methods are to be actually implemented by the backend authentication server. After the link phase is completed, the authentication party transmits one or more request messages to a counterpart. There is a type field in the request message to specify an information type requested by the authentication party, such as an ID of the counterpart, a challenge word of MD5, a One Time Password (OTP) and a general token card etc. A challenge word of the MD5 corresponds to a challenge word of a CHAP authentication protocol. In typical conditions, the authentication party firstly transmits an ID request message, and then transmits other request messages. Of course, it is not necessary to firstly transmit the ID request message, and in the case that the identity of the counterpart is known (such as a leased line, a dial-up line etc.), this step can be skipped. The counterpart replies one response message to each request message. As with the request message, the response message also contains one type field, which corresponds to the type field in replied request message. The authentication party ends the authentication process by transmitting a success or failure message. Compared with other authentication methods, the advantage of the EAP is that the EAP can support a variety of authentication mechanisms, without specifying them in the pre-negotiation process of the LCP phase. Some devices (such as a network access server) need not to concern about the real meaning of each request message, but they serve as proxies to transparently transmit authentication messages to the backend authentication server. The devices only need to concern about whether the authentication result is the success or failure, and then end the authentication phase.
The Evolved Packet System (EPS for short) of the 3rd Generation Partnership Project (3GPP for short) is comprised of Evolved UMTS Terrestrial Radio Access Network (E-UTRAN for short), Mobility Management Entity (MME for short), Serving Gateway (S-GW), Packet Data Network Gateway (P-GW or PDN GW for short), Home Subscriber Server (HSS for short), Policy and Charging Rules Function (PCRF for short) entities and other supporting nodes.
In FIG. 1, an MME mobile management unit is responsible for control plane related works such as mobility management, non access stratum signaling processing and management of user mobile management context etc.; the S-GW is an access gateway device connected to the E-UTRAN, forwards data between the E-UTRAN and P-GW, and is responsible for caching paging waiting data; the P-GW is a border gateway between the EPS and a Packet Data Network (PDN for short), and is responsible for functions such as accessing of the PDN and data forwarding between the EPS and the PDN; and the PCRF is a policy and charging rules function entity, and is connected to an Internet Protocol (IP for short) service network of an operator via a receiving interface Rx to acquire service information, and in addition, the PCRF is connected to a gateway device in the network via a Gx/Gxa/Gxc interface, is responsible for initiating an establishment of IP bearer, ensures Quality of Service (QoS for short) of service data, and performs charging control.
In a process of an initial attachment/switch or establishment of a new PDN connection to the EPS network for a User Equipment (UE), the Gateway GPRS Support Node (GGSN)/PDN GW may perform authentication and authorization of a user, issuing of related configuration parameters (such as an IP address) etc. for the UE by an authentication server (which may be provided by a third-party) in an external packet data network. When the UE establishes a PDN connection through a 3GPP access networks, i.e., a GERAN/UTRAN/E-UTRAN, the UE transparently transmits the data needed to be authenticated and authorized by the external authentication and authorization server to the GGSN/PDN GW through a Protocol Configuration Option (PCO) information element, and then, the GGSN/PDN GW extracts authentication data of the user from the PCO, and includes the user authentication data in an authentication message transmitted to the external authentication and authorization server. After authenticating and authorizing the user, the external authentication and authorization server returns an authorization result and related data to the GGSN/PDN GW through an authentication response message. The GGSN/PDN GW includes the above authentication result and related data in the PCO to be returned to the UE. In the current standards, the PCO supports carrying Challenge Handshake Authentication Protocol (CHAP) and Password Authentication Protocol (PAP) parameters, namely, which are two kinds of authentication methods. With the development of the network security, the Extensible Authentication Protocol (EAP) is utilized by operators due to its better security, and also becomes potential requirements of the UE for external authentication and authorization method. However, in relative to one round of interaction for the CHAP and PAP authentications, there are two rounds of message interactions between the client and the server for the EAP authentication. The characteristics of the above EAP authentication determine that there will be influence on the current process of connecting the UE to the EPS.